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ENHANCED SECURITY FEATURES 
FOR AN AUTOMATED ORDER FULFILLMENT SYSTEM 



FIELD OF THE INVENTION 

This invention relates to improvements in an automated 
system for managing fulfillment of customer orders, and more 
particularly to security enhancements to prevent fraud by 
system users. 



f u BACKGROUND OF THE INVENTION 

D A number of processes related to the fulfillment of 

*j customer orders lend themselves to automation. For example, 

u systems have been developed for (1) scheduling the shipment of 

15 goods to a customer and (2) managing customer accounts payable. 

ij More recently, an integrated system for managing the 

[| fulfillment of orders has become available. An example of such 

5 an integrated system is the SAP™ system ("Systems, 

:Q Applications, Products and Data Processing") offered by SAP AG, 

20 Walldorf, Germany. 

Security functions in separate materials management and 
customer accounts-payable systems, providing safeguards against 
fraud and inappropriate business practices, can be inadequate 
when those systems are integrated (for example, into the SAP 
25 system). Each user (known to the system by his user ID) has a 

"security profile" listing the transactions he may approve or 
the tasks he is authorized to perform. Some of these 
transactions are incompatible, in the sense that having them 
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under control of a single individual could result in abuse of 
the system. For example, a user authorized both (1) to approve 
the shipment of goods to a certain customer and (2) to adjust 
the amount owed by a customer, could fraudulently ship goods to 
himself free of charge. Furthermore, an individual with a 
single user ID but multiple security profiles could initiate a 
transaction under one profile, then instruct the system to 
perform an incompatible transaction appearing under another 
profile. 

Accordingly, there is a need for improved security in an 
automated system for managing the fulfillment of orders, 
whereby the security profiles of users are analyzed and 
modified to prevent incompatible transactions by those users . 

SUMMARY OF THE INVENTION 

The present invention provides a system for the separation 
of incompatible transactions within a system such as the SAP 
system, so that critical tasks (those tasks susceptible to 
abuse or fraud) may be assigned to different individuals. In 
accordance with the invention, this system determines which 
transactions in a user's security profile are incompatible with 
each other, and then generates a report indicating the security 
profile which has incompatible transactions. The security 
profiles may then be modified, to prevent inappropriate 
business conduct including fraud and misuse of funds. 

According to a first aspect of the present invention, a 
method is provided which includes the steps of assigning a user 
identifier to each user of the system; preparing a security 
profile corresponding to each identifier, where each security 
profile includes a set of authorized transactions; and 
preparing a list of pairs of incompatible transactions in 
accordance with predetermined rules of business conduct. Then, 
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according to this method, each security profile is compared 
with that list, to identify security profiles including at 
least one pair of incompatible transactions. A report is 
generated indicating those security profiles which include 
incompatible transactions and the user identifiers associated 
with those security profiles. If a security profile is found 
to have a pair of incompatible transactions, it may be 
modified; alternatively, the list of pairs of incompatible 
transactions may be modified, so that the security profile does 
not include a pair of incompatible transactions. Another 
report may then be generated indicating the modification made. 

A given user identifier may have more than one security 
profile associated therewith. In accordance with a second 
aspect of the invention, a method is provided which includes 
the steps of assigning a user identifier to each user of the 
system; preparing a plurality of security profiles, where each 
user identifier is associated with at least one security 
profile; and preparing a list of pairs of incompatible 
transactions in accordance with predetermined business conduct 
rules. Furthermore, the method includes the steps of 
generating a set of transactions in all of the security 
profiles associated with each user identifier, and comparing 
that set of transactions with the list of pairs of incompatible 
transactions. This method therefore permits identification of 
user identifiers having associated therewith at least one pair 
of incompatible transactions, even if those transactions are in 
different security profiles. A report is then generated 
indicating those user identifiers. A security profile 
associated with such a user identifier may be modified; 
alternatively, the list of pairs of incompatible transactions 
may be modified, so that the user identifier no longer has a 
pair of incompatible transactions associated therewith. 
Another report may then be generated indicating any 
modification which has been made. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



Figure 1 is a schematic block diagram of a computer 
system on which software embodying the present invention is 
loaded, and which includes a storage device for storing user 
IDs, security profiles, and transaction tables used in 
accordance with the present invention. 

Figure 2A illustrates in tabular form the structure of 
the user ID database. 

Figure 2B illustrates in tabular form the structure of 
the security profile database. 

Figure 3A illustrates the structure of a table of 
critical transactions. 

Figure 3B illustrates the structure of a table of 
incompatible critical transactions. 

Figure 4 is a flowchart showing a method for analyzing 
security profiles and generating a report of incompatible 
transactions in a profile, according to a first embodiment of 
the present invention. 

Figures 5A and 5B are connected flowcharts showing a 
method for analyzing security profiles associated with a 
given user ID and generating a report of incompatible 
transactions for that user, according to a second embodiment 
of the present invention. 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Figure 1 is a block diagram of a computer system 100 on 
which is loaded a system 101 for managing fulfillment of 
orders (e.g. the SAP system) which includes a system 110 for 
separating critical tasks or transactions among various 
system users, according to the present invention. The 
computer system 100 also includes a storage device 120, in 
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which is stored a table 121 of user IDs for the system 101; 
security profiles 122 comprising lists of specific critical 
transactions; and tables 123 of critical transactions and 
combinations of incompatible transactions. The systems 101 
and 110 access these tables, as shown schematically in Figure 
1. 

The storage device 120 may be an integral part of the 
computer system 100, as shown in Figure 1, or may be external 
to it. The executable code for the system 110 and the 
databases 121-123 may be stored on a variety of possible 
computer-readable media (RAM, ROM, CD-ROM, etc.). 

The system 110 of the present invention is shown in 
Figure 1 as integrated into the commercially available system 
101 for managing fulfillment of orders. Alternatively, the 
system 110 may be separate from system 101, or be invoked as 
a subroutine from system 101 (in which case the analysis of 
critical transactions may itself be viewed as a critical 
transaction, to be performed only by certain selected users). 
The user IDs 121, profiles 122 and tables 123 contain 
information used in the analysis, as detailed below. 

As shown in Figure 2A, each user of the system 101 
is assigned one record in the user ID database 121. Each 
record has fields 201 and 202 for the user ID and user name 
respectively, and a field 203 identifying the security 
profile or profiles assigned to that user. A given user may 
have a unique or custom-designed profile (for example, 
profile #1 in Figure 2A) , have a single standard profile 
(such as profiles #2 and #3), or may be assigned multiple 
profiles. The database of security profiles is shown in 
Figure 2B. Each profile identifier is associated with a 
group of critical transactions; the identifiers for the 
transactions in a given profile are listed in field 204. In 
this illustration, the transactions are identified by a four- 
character code. A system user with a given user ID is 
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authorized to perform any of the transactions in the profile 
or profiles assigned to his user ID. 

The profiles are constructed and analyzed using tables 
123-1 and 123-2 of critical transactions and incompatible 
combinations thereof, as shown in Figures 3A and 3B. Figure 
3A shows the structure of table 123-1, which has a list of 
all the critical transactions performed in system 101. Only 
the critical transactions--that is, those susceptible to 
abuse or fraud--need be listed in table 123-1. Each record 
of table 123-1 has the identifier 205 of the transaction, and 
the name of the transaction 206. Table 123-2, which is 
developed manually using the organization's rules and 
instructions (e.g. corporate "Business Conduct Guidelines"), 
lists combinations of critical transactions deemed 
incompatible: transactions which, if performed by the same 
user, would permit misuse of the system or fraud. Each 
record 301 of this table has the identifiers of two 
transactions which should not appear in the same security 
profile, or in a set of security profiles belonging to a 
particular system user. 

In the following embodiments of the invention, the 
processes of identifying and tabulating incompatible 
transactions are not fully automated. It will be appreciated 
that these processes depend upon an understanding of both the 
order-fulfillment management system and the business-conduct 
ethics governing the organization using the system. These 
particular processes reguire a level of professional judgment 
in accordance with generally accepted accounting practices 
("GAAP"), which then are implemented by a human system 
administrator . 

A flowchart of a method of analyzing a security profile, 
according to a first embodiment of the invention, is shown in 
Figure 4. In step 401, the table 122 of security profiles is 
built and stored in memory. In step 402, the combinations of 



critical transactions which are incompatible are identified. 
In a corporate environment, the corporate rules and 
instructions 450 serve as input for this step. The table 
123-2, which lists all the combinations of incompatible 
transactions, is then built (step 403). 

The identifier 203 of the profile to be analyzed is 
input by the system administrator, and this profile is 
retrieved from memory (step 404), and the transactions 
associated with that profile are compared with the table 123- 
2 (step 405). The results of this comparison (step 406) are 
included in a report (here referred to as Report #1). if no 
conflicting transactions exist in the profile, the report 
states that result (step 407). If one or more pairs of 
conflicting transactions are found, these are listed in the 
report (step 410). At this point (step 411), the person 
performing the analysis may modify the profile or the table 
123-2 to remove the conflict between transactions. 
Alternatively, he may choose to allow the conflicting 
transactions to remain in the profile, and prepare a memo to 
management justifying this course of action. 

It will be appreciated that these steps may be performed 
using an incomplete profile, so that the profile may be built 
without having incompatible transactions. In particular, it 
is desirable to analyze the profile (and make any necessary 
adjustments) while the order-fulfillment management system is 
in development, before it is moved to a production 
environment. 

According to a second embodiment of the invention, 
another report (termed Report #2) is generated in connection 
with the analysis shown in the flowcharts of Figures 5A and 
5B. Using a user ID as input, this report lists all of the 
transactions that are in conflict across all the profiles 
associated with that user ID. In steps 501-503, the tables 
122 and 123-2 are built, as described above with reference to 



steps 401-403. 

In accordance with input from the system administrator, 
a user ID is retrieved from the user ID database 121 (step 
504), and a profile associated with that user ID is retrieved 
5 from database 122 (step 505; see Figures 2A and 2B) . 

However, a particular user may be authorized to perform tasks 
or approve transactions from more than one security profile. 
All of the profiles associated with that user ID are 
retrieved (steps 505-507), and the transactions of those 
10 profiles are collected in a single, temporary list which is 

compared with the list of incompatible transactions in table 
123-2 (step 508). Accordingly, all incompatible transactions 
belonging to a user ID are identified, whether that user ID 
has a single security profile or multiple profiles. 
iJ 5 If the user ID does not have any profiles with 

% incompatible transactions, Report #2 states that result (step 

;J! 510). If, however, a set of incompatible transactions is 

found (step 509), those transactions are listed in Report #2 
Ly (step 511), along with the user ID and the profile(s) in 

^0 which the transactions appear. As in the first embodiment, 

1^ the person performing the analysis may take a number of 

fU actions to resolve the presence of incompatible transactions 

nfj (step 521): modify the profile, modify the table 123-2, or 

s-S justify the continuance of conflicting transactions belonging 

&5 to the user ID. 

It is desirable to produce another report (Report #3) 
which provides an audit trail; that is, a report listing all 
the activity that has occurred against the transaction table 
123-2. Thus if the system administrator intervenes to remove 
30 a conflict in a security profile, this action will be 

documented (step 601 in Figures 4 and 5B) . 

It will be appreciated that this procedure may be used 
when developing and testing a set of profiles for a system 
user. In that event, a dummy user ID with those profiles 
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assigned may be used as input. In addition, if it is desired 
to analyze a single profile with the procedure of Figures 5A 
and 5B, a dummy user ID with that profile may be used as 
input . 

While the invention has been described in terms of 
specific embodiments, it is evident in view of the foregoing 
description that numerous alternatives, modifications and 
variations will be apparent to those skilled in the art. 
Accordingly, the invention is intended to encompass all such 
alternatives, modifications and variations which fall within 
the scope and spirit of the invention and the following 
claims . 
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We claim: 



1 1. A method for facilitating implementation of an automated 

2 system for transacting business , the system having a 

3 plurality of users, the users being subject to predetermined 

4 rules governing business conduct, the method comprising the 

5 steps of: 

6 assigning a user identifier to each user of the system; 

7 preparing a security profile corresponding to each 

8 identifier, each security profile including a set of 

9 authorized transactions; 

10 preparing a list of pairs of incompatible transactions 

11 in accordance with said predetermined rules; 

12 comparing each security profile with said list, to 

13 identify security profiles including at least one pair of 

14 incompatible transactions; and 

1 5 generating a report indicating those security profiles 

16 which include incompatible transactions and the user 

17 identifiers associated with those security profiles. 

1 2. A method according to claim 1, further comprising the 

2 steps of: 

3 after said preparing steps, storing the security 

4 profiles and the list of pairs of incompatible transactions 

5 in a computer-readable storage medium; and 

6 retrieving the security profiles and the list of pairs 

7 of incompatible transactions from the computer-readable 

8 storage medium, 

9 wherein said comparing step and said generating step are 
10 automated. 
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1 3. A method according to claim 1, further comprising the 

2 steps of: 

3 modifying at least one of 

4 (a) a security profile including a pair of 

5 incompatible transactions, and 

6 (b) said list of pairs of incompatible 

7 transactions, so that said security profile after 

8 modification does not include a pair of incompatible 

9 transactions; and 

10 generating a report indicating the modification made in 

11 said modifying step. 

1 4. A method for facilitating implementation of an automated 

2 system for transacting business, the system having a 

3 plurality of users, the users being subject to predetermined 

4 rules governing business conduct, the method comprising the 

5 steps of: 

6 assigning a user identifier to each user of the system; 

7 preparing a plurality of security profiles each 

8 including a set of authorized transactions, each user 

9 identifier being associated with at least one security 

10 profile; 

11 preparing a list of pairs of incompatible transactions 

12 in accordance with said predetermined rules; 

13 generating a set of transactions for each user 

14 identifier, the set of transactions for a given user 

15 identifier including all of the transactions in the security 

16 profiles associated with said user identifier; 

17 comparing said set of transactions with said list, to 

18 identify user identifiers having associated therewith at 

19 least one pair of incompatible transactions; and 

20 generating a report indicating those user identifiers 

21 identified in said comparing step. 
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1 5. A method according to claim 4, further comprising the 

2 steps of: 

3 after said preparing steps , storing the security 

4 profiles and the list of pairs of incompatible transactions 

5 in a computer-readable storage medium; and 

6 retrieving the security profiles and the list of pairs 

7 of incompatible transactions from the computer-readable 

8 storage medium, 

9 wherein said comparing step and said generating steps 
10 are automated. 

1 6, A method according to claim 4, further comprising the 

2 steps of: 

3 modifying at least one of 

4 (a) a security profile associated with a user 

5 identifier for a user authorized to perform a pair of 

6 incompatible transactions, and 

7 (b) said list of pairs of incompatible 

8 transactions, so that after modification said user identifier 

9 does not have associated therewith a pair of incompatible 

10 transactions; and 

11 generating a report indicating the modification made in 

12 said modifying step, 

1 7, A computer-readable medium having stored therein 

2 instructions for performing a method for facilitating 

3 implementation of an automated system for transacting 

4 business, the system having a plurality of users, the users 

5 being subject to predetermined rules governing business 

6 conduct, the method comprising the steps of: 

7 retrieving a security profile associated with each user 

8 identifier, the security profile including a set of 

9 authorized transactions; 

10 retrieving a list of pairs of incompatible transactions, 
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11 where said list is prepared in accordance with said 

12 predetermined rules; 

13 comparing each security profile with said list, to 

14 identify security profiles including at least one pair of 

15 incompatible transactions; and 

16 generating a report indicating those security profiles 

17 which include incompatible transactions and the user 

18 identifiers associated with those security profiles. 

1 8. A computer-readable medium having stored therein 

2 instructions for performing a method for facilitating 

3 implementation of an automated system for transacting 

4 business, the system having a plurality of users, the users 

5 being subject to predetermined rules governing business 

6 conduct, the method comprising the steps of: 

7 retrieving all security profiles associated with each 

8 user identifier, the security profiles each including a set 

9 of authorized transactions; 

10 retrieving a list of pairs of incompatible transactions, 

11 where said list is prepared in accordance with said 

12 predetermined rules; 

13 generating a set of transactions for each user 

14 identifier, the set of transactions for a given user 

15 identifier including all of the transactions in the security 

16 profiles associated with said user identifier; 

17 comparing said set of transactions with said list, to 

18 identify user identifiers having associated therewith at 

19 least one pair of incompatible transactions; and 

20 generating a report indicating those user identifiers 

21 identified in said comparing step. 
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ENHANCED SECURITY FEATURES 
FOR AN AUTOMATED ORDER FULFILLMENT SYSTEM 



ABSTRACT OF THE DISCLOSURE 



A method is described for facilitating implementation of 
an automated system for transacting business, where the 
system users are subject to predetermined rules governing 
business conduct. Each user is assigned a user ID and has a 
security profile, which lists the transactions that user is 
authorized to perform. A list is prepared of pairs of 
incompatible transactions (transactions which, if performed 
by the same user, would violate the predetermined rules). 
Each security profile is compared with the list, to identify 
security profiles including at least one pair of incompatible 
transactions. A report is then generated indicating those 
security profiles which include incompatible transactions and 
the user identifiers associated with those security profiles. 
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Mulhuddart, Dublin 15, Republic of Ireland 
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\ IBM Docket No. FJ9-9M40 

DECLARATION AND POWER OF ATTORNEY FOR ftATSHT APPLICATION 

■ 

As a below named inventor, I hereby d^plara that: 

My residence, post office, addresa and citizen Jhip are as stated b«low next to my name; 

I believe I am the original, first and' salt invlnfor (if the only narue is listed below) or 
an original, first and joint inventor 1 (if plural nam** are listed below) of the subject 
setter which is claimed and for which a patent ia sought on the invention entitled: 

ENHANCED SECURITY FEATURES FOR AN AUTOMATED OjRDER FULFILLMENT SYSTEM 
the specification of whlcn (check one) 



X is attached hereto. 



was filed on 
Application Serial No. 



1 hereby slate that I have reviewed and understand the contents of the above Identified specification, including the 
claims, as amended by any amendment referred to above. | 

i 

I acknowledge the duty to disclose information which Is materiel tp the patentability of this application in accordance with 
r<tte 37, Code of Federal Regulations, §1 .56(a). 



r hereby claim foreign priority benefits under Title 35, fJpltad Statia Code, §1 19 of any foreign application^) for patent or 
inventor^ certificate listed -billow and have aistf idertflfatf below dm ifcrefgh application for pstert or inventors certificate 
having a filing date before that of the appiicaifori dri which priorityjfe claimed: 

Prior Foreign Applications: * 

\ 

Number Country Patented ? Priority Claimed fYe* or Wo) 

N/A t 

i hereby claim the benefit under Title 35, United States Code; §120 of any United States application^) Iteted below and, 
ins$ar as the subject matter of each of the; claims otihls application > ji, not dfsolosed in the prijor United States , 
application in the manner provide by the first paragraph of Title 35, Ghited[6tates Code, §112, 1 acknowledge the duty 
to disclose material Information: a$ defined jn Tiiie37, pod* of FecJeiitfReflMlations, §l3e(e) which occurred between 
the riling date of the prior application and the national or PCT inte^ationai filing dale of this application; 

Application Serial No, Hllno Data gaift ftPttfflgd, PWttnfli fllffiMfo"**) 

N/A | 1 

t , 

I hereby declare that ail statements made herein of myjowfl knowledge are true and that a!) statements made on 
information arid belief are believed to be true; and funhV that thesk siaiemerrts were made wttfr the knowtedge that 
willful false statements and the like eo made are punishable by ffnior'Jmprisonment, or both, under Section 1001 of Titte 
18 of the United states Code and that such willful fatse istalement&lmay jeopardize the validity of the application or any 
patent issued thereon . | 

rl 

I. 

I 
y 
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* IBM Docket Wo. R 949-140 

POWER OF ATTORNEY: As the named Inventory hereby apfjplnt fh* following attaints) and/or agentW to 
prosecute tm application arid twmsari all businee&ln the Mlett ind Trademark Office connected therwrttti (list name & 
registration no.): Marc 0. Schechtor, Registration No. 28,9% Susan M. Munay, Registration No, 38,251; Joseph 
P. Abate, Registration No. 3p,23a; Aziz M, Ahi?aii, Registration No. 32,100; J*y H. And wwn, Rafllatratlon No, 
38,371; Lawrence o. Cutter, Registration No. 28,501; Ira D. fMejcker, Registration No. »,TO4; TWany L. 
Townsond, Registration No. 43,1&9; St&vtn Capetyt t Registration No. 33,086; Daryl K. Ntff, Registration No. 
38,263; Eric W. Petraske, Registration No. AtMil and Ji Detnlel Schrturmann, Registration No, 35,7*1. all of 
INtERNATlONAL BUSINEBfe iMACHINES CQllPdRATIpN; aftd Christopher A. Huglias, Registration No, M»*14; 
Edward A. Pennington, Registration No. 32,588; John E, Ho«*l. Registration No. 28,279; and Joseph c, Redmond, 
Jr, Registration No. 13,753, all of MORGAN AND FiNNEOAN. 

Send correspondence to: Jay H. Anderson, IBM Corporation, intaitactuai property Uw Dept., 1B/G, Z/ttz, B/300, 
1580 Route 52, Hopewell Junction, New York 12883 

Direct telephone calls to: Jay H. Anderson* 814*884-3687 

INVENTORS: 



Full name of first joint inventor: Michael T. Whkte 



Inventor signature: J Dale: 



Residence: 4 Faivfew Roa<* ? Hopewell Junction, New Yofk 12^3 
Cif fzenship: United states of America * 



Post Office address: Same as Residence 

sxftMBIti 




Full name of second joint Inventor Cathy A. Martin 1 | 
______ fe 

Inventor signature: [ Date; 
i 

Residence: 86 Hamlet Court, Wspplngers Palls, New York 1 2590 
Citizenship: United States of America | 

Post Office address; Same as Residence | 



Full name of third joint Inventor: Mary Ann Modre j 

n i I 

Inventor signature: ( Date: 

. , , L, _ 

Residence: 160 Pleasant ificfge Road, Poughqxiag, New York f |67jfc 

Citizenship: United States of America jt 

• f '-• 

Post Offlce ffcfiirriss: P.O. Box 778, Pleasant Ridge Rofcd, Poufihfquag, New Yoifc 12570 

k 

i 
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Full nairie of fourth Joint inventor: David Z, Neltl 




Residence: 85 Larchfreld, Dunboyra, County Mtath, Republic of tailftnd 



Citte&nsWp: United States of America 



! 



Post Office ?ddne$£ c/o IBM MFcroel«ctronlc$ Division, Dtm^own industrial Estate, 
Mulhuddirt, Dublin 15, Republic of Ireli 
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